My OSCP Journey
Introduction
The Offensive Security Certified Professional is an ethical hacking certification offered by Offensive Security that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution.
It comes with the Penetration Testing with Kali video and PDF course and it’s one of the major certifications in the penetration testing world. In this article I take the time to talk about the journey that brought me to achieving this certification, all of the steps I followed, the learning material and platforms I used to prepare etc.
Background
Before I decided to take the OSCP, most of my penetration testing experience came from online capture the flag challenges, as my job involved information security but not so much pentesting. I had a very good understanding of the Linux operating system and bash as I had been using Linux for 5/6 years, networking and fundamental security concepts.
I had completed a fair number of Udemy courses on the subject, which can be found in this article, although I felt like the knowledge I gained was very disparate and hard to apply in real life situations.
I had previously obtained the CompTIA A+, Network+, Security+ and Pentest +, and the eLearnSecurity Junior Penetration Tester.
After doing some of the certifications and courses listed above, along with some of the challenges on Hack the Box, I felt it was time to aim for OSCP.
Pre-Registration
I started preparing for the certification just after the beginning of 2020, I started with a few books and some online material.
Books/Courses
- Red Team Field Manual – A thorough reference guide for Red Team members which contains the basic syntax for common command line tools, unique use cases for Python and Windows PowerShell, Windows wmic and dsquery tools, key registry values, scheduled tasks syntax, startup locations and Windows scripting.
- The Hacker Playbook 3 – This is the third version of the Hacker Playbook series, it includes full walkthroughs that simulate real life scenarios, with techniques that included but aren’t limited to , web application exploitation, active directory, lateral movement, privilege escalation and much more.
- Python for Pentesters – A course from Pentester Academy that covers a lot of penetration testing related use cases on Python such as sniffers and packet injectors, malware analysis and reverse engineering, attack task automation and much more.
Online OSCP Preparation Guides
I also looked at a few OSCP guides to start giving my preparation path a bit more shape:
- A Detailed Guide on OSCP Preparation – From Newbie to OSCP
- Journey to OSCP – 10 Things You Need to Know
- TJnull’s Preparation Guide for PWK/OSCP
Online Challenges
The first practice I have done was completing some online challenges from the following platforms:
- OverTheWire – Bandit, Leviathan, Natas, Krypton, Narnia and Behemoth.
- UnderTheWire – Century, Cyborg and Groot
- Root Me – Web Client and Web Server challenges
VulnHub Practice Machines
I then proceeded with some practice with the following machines from Vulnhub, updating my notes every time I had found a new tool or technique.
| Kioptrix Level 1 | Sickos 1.2 |
| Kioptrix Level 1.1 | Skytower 1 |
| Kioptrix Level 1. 2 | DC416 |
| Kioptrix Level 1. 3 | Lin.Security |
| Stapler 1 | Zico2 |
| FristiLeaks 1.3 | Lord of the root 1.0.1 |
| PwnLab:init | Web developer 1 |
| Kioptrix 2014 | DC 6 |
| Mr robot 1 | Solidstate |
| HackLab Vulnhix | Hackme 1 |
| PWnOS: 2.0 | Escalate_linux 1 |
| IMF | Temple of Doom |
| VulnOS 2 | Pinkys Palace 1 |
Exam Preparation
In this phase I started preparing for the exam with the material that was provided by Offensive Security, going through all of the learning material, completing all of the available exercises and lab machines.
The PWK course
I enrolled for the course on the 1 of May and the course was set to start on the 7th of June, I purchased three months of lab time and as soon as my access started by going through the videos and the PDF learning material provided with the course, completing and documenting the exercises as I went through the various sections.
Although the course material was really thorough, well explained and easy to comprehend, even in some of the more difficult subjects like buffer overflow, it’s nowhere near enough to prepare you for the exam, in fact, most of your learning required to pass will be through your own research.
The amount of content in the PDF/videos and of exercises is incredibly huge, and as such it took me about one and a half months to finish all of the exercises, after that I started with the labs. I highly recommend documenting all of the exercises as they will grant you an extra 5 points during your certification exam.
The PWK Labs
It took me about five weeks to complete all of the boxes in the labs, and I suggest to try and complete as many as you can, as the more you do the less likely you will be to come across unknown applications or environments during your exam. Make sure you carefully document the steps you performed to compromise each and every one as these could come in handy later on.
With your access time, you get access to the official forum where you can discuss the lab machines with other students, and provide/receive hints. Each machine has its own forum section so this makes it really easy to navigate through it and find what you need.
Some machines will require prior compromise on a different host, so if there’s not clear pathway that’s something you should consider before spending too much time on them. If you are stuck on a box, take a step back and go through your methodology (which you should have by now) and enumeration steps again, there will definitely be something you missed
The Forums
I would like to spend a few words on the forums as these were both my salvation and my damnation. As I went through the lab machines, without realizing, I slowly started relying on the forums more and more, to the point where I would look at hints after 15 minutes from the start of a machine or as soon, and all of this was because I set for myself the goal to complete 2-3 machines a day.
I learned at my own expense that this wasn’t the right approach, as the time required to root a box can’t be calculated and shouldn’t be forced, instead it should come naturally as your skills start to grow. Don’t get me wrong, the forums can be very useful and I don’t completely agree with the “try harder” mentality. I think like often in life, there has to be balance; you don’t want to rely on the forums too much but at the same time you don’t want to keep banging your head against a wall for 5 hours going down a rabbit hole, you’re supposed to learn after all. As a rule of thumb, if after 2 hours you have not made any progress you’re probably going down a rabbit hole and it’s the time to either take a different approach with the box or look at some hints.
Pre-Exam phase
After completing all of the lab machines, I booked my exam for the 23rd of October 2020, which means I had almost two months to prepare for the exam. I didn’t feel quite ready for the exam yet so I decided to spend some more time completing the following Hack The Box machines from the NetSecFocus Trophy Room list:
| Linux | Windows |
| Lame | Legacy |
| Brainfuck | Blue |
| Shocker | Devel |
| Bashed | Optimum |
| Nibbles | Bastard |
| Beep | Granny |
| Cronos | Arctic |
| Nineveh | Grandpa |
| Sense | Silo |
| Solidstate | Bounty |
| Valentine | Secnotes |
| Poison | Bastion |
| Sunday | Buff |
| Tartarsauce | Servmon |
| Irked | Jerry |
| Active |
I completed most of them with no hints or very little hints, if I was stuck for more than two hours I would refer to either the PDF guide provided in the platform or the Ippsec walkthrough.
Useful Resources & Notes
As I was completing various capture the flag challenges, reading books and doing courses and following online guides and walkthroughs, I kept taking notes whenever I found something interesting that I thought could come in handy later on and I slowly started building a substantial repository of notes. Below are some of the information and links I gathered when researching on some of the most complex parts of my OSCP preparation.
Privilege Escalation
Privilege escalation is a crucial skill to know in order to pass the OSCP certification exam and become a better penetration tester overall. After completing the labs I felt I needed more preparation on this subject, so I used the following resources:
- Windows Privilege Escalation for OSCP & Beyond!
- Linux Privilege Escalation for OSCP & Beyond!
- Basic Linux Privilege Escalation by g0tmi1k
- Sagi Shahar
- Windows Privilege Escalation Fundamentals
- HackTricks – Linux Privilege Escalation
- A guide to Linux Privilege Escalation
- Elevating your Windows Privileges Like a Boss! – Jake Williams
- Windows and Linux Privilege Escalation – OSCP 2020
- Linux Privilege Escalation – Tradecraft Security Weekly #22
- Windows Privilege Escalation Techniques – Tradecraft Security Weekly #22
- Linux Privilege Escalation and Pentesting – Red Team Training – Nezuko Vulnhub Walkthrough
Additionally, I created a Linux and Windows privilege checklist, which should help in finding a suitable path in most machines.
Stack Buffer Overflow
Stack Buffer Overflow can seem overwhelming to some of the students initially approaching OSCP, but once you learn the basic steps involved in the exploitation process and get familiar with them, it will all become very natural.
As much as the PWK course and the labs cover buffer Overflow quite well, I still didn’t feel 100% confident so I decided to do some more practice against software that is known to be affected by BOF vulnerabilities and BOF practice machines:
- Stack Buffer Overflow – Exploiting SLMail 5.5
- Vulnhub – Brainpan 1 Walkthrough
- Stack Buffer Overflow – Vulnserver Guide
- Stack Buffer Overflow – dostackbufferoverflowgood Guide
This article I wrote explains in great detail the steps required in order to perform stack buffer overflow exploitation, from both a theoretical and a practical standpoint. It includes a full example and some reference links to other useful buffer overflow guides.
#1 Exam Attempt
My exam started at 9am Sydney time, the night before I couldn’t get much sleep as I was too anxious and in the morning I didn’t have any breakfast as I wasn’t feeling well. Nonetheless, I was ready to start at 8:45 and I went through the initial setup steps(the proctors are very kind and helpful) which were very seamless, after which the real test started.
I started running some Nmap scans while working on the buffer overflow machine. Unfortunately this took a lot more than expected as I did not check for bad characters properly and therefore missed a few without realizing at first, which cost me more than an hour later on when I had to go through all my steps again to identify where I messed up.
After I was finished with the BOF it was about 11:30am and I was already really stressed out because what I thought was the easier part turned out to be a nightmare because of a mistake I made.
I took a short break, had something to eat and then started again, unfortunately I wasn’t able to complete any other boxes, and despite what people normally say, I ended my exam early at about 11pm as I wasn’t able to make any progress and I didn’t feel like I was going to.
This was both a big disappointment but also an eye-opening revelation, which demonstrated how much I relied on hints and how much I felt lost in a true black box-like environment. I therefore decided to take the weekend off and start practicing again.
Post-exam phase
After failing my first attempt I decided to sign up for other training platforms to keep practicing in order to improve in the areas where I lacked the most, which were enumeration and privilege escalation.
Virtual Hacking Labs
I first signed up for Virtual Hacking Labs. I really liked this platform, the learning material is very thorough but concise, the platform itself is easy to use and there are about 40 machines you can complete, between windows, Linux and one android box. I completed all of the available boxes apart from 2 hard ones, which I decided to leave since there are no hints available and I didn’t want to spend too much time on them. A review for virtual hacking labs is available at this link.
Proving Grounds
I then decided to sign up for Proving Grounds, a platform that was recently released by Offensive Security themselves. This allows you to practice with Windows and Linux boxes and it is great to prepare for OSCP. A full review of this platform is available here.
I completed about 30 of the available boxes and then decided to move on as my exam was in only 4 days and the only boxes left were all hard ones and would have required a lot of research.
TryHackMe Offensive Pentesting Path
During the last 3 days before my exam, in order to get as much practice done as I possibly could, I decided to sign up for TryHackMe’s Offensive Pentesting Path.
TryHackMe is an online platform for learning cyber security and penetration testing through hands-on exercises and labs designed to teach practical skills. I really liked the layout of the platform and the way it functions, there are learning paths available you can enroll for, and the Offensive Pentesting path contains a lot of machines that aim to prepare you for the OSCP certification exam. A review of this learning path is available at this link.
#2 Exam Attempt
The Night Before
Going into my second attempt I felt a lot more confident than the first time, I knew what to expect and I knew it was a marathon rather than a sprint, and as such I should take proper breaks, eat and drink properly etc. My exam started on the 22nd of December 2020 at 8am Sydney time, I had a good night of sleep and once I woke up I took a shower, made myself a smoothie and sat in front of my desk.
8am-9:30am
I started with the buffer overflow box and by 9:30am I was done with it, in the meantime I had been running enumeration scans on the four other hosts using AutoRecon. I then decided to take a little break.
9:45am-11:45am
Once back, within about an hour I had a user shell on one of the medium boxes, and since privilege escalation did not seem straightforward and kept me stuck for almost an hour I moved to the easy box, which I completed in about 45 minutes. I then decided to go for another break since I already had 50 points including the lab report and there was no point in rushing it.
12pm-1:30pm
At about 12pm I resumed my exam, I spent about an hour on the other hard box but unfortunately I couldn’t find an exploitation vector, I also tried a few more privilege escalation techniques on the first medium box with no luck. I then decided to go for lunch as it was about 1:30pm.
2:30pm-5pm
After I was back from lunch, I gave another crack at both the medium boxes but I was stuck in a rabbit hole for more than an hour again. I was very discouraged and I was having a terrible headache so I decided to go for a nap for a couple of hours.
7:00pm-9pm
Back from my nap at about 7:00pm, I felt very refreshed and had another go at escalating privileges on the first medium box, which after some tribulation finally worked, so I had 60 points at 8PM. I then decided to start looking at the hard box, which was easier than I thought as I was able to get a user shell in under 30 minutes, I then spent 30 minutes looking at common privilege escalation vectors but I wasn’t able to find any so at about 9PM I went for dinner, knowing I theoretically had 72.5 points.
10pm-12am
Back from my dinner at about 10PM I spent the next 2 hours trying to get root access on the hard box or get a user shell on the medium box, unfortunately I could not make any more progress, although I didn’t feel completely hopeless. I anyway decided to end my exam at about midnight, as I knew I had enough points to pass and I could not afford to sleep the entire day after.
Exam Report
I was taking notes as the exam went on and I would take screenshots for each command/script I’d run or page I’d visit, which really helped during the reporting phase. I double checked my notes at the end to make sure I had everything I needed, including the user and root flags.
I decided to complete my exam report the same day as the day after I was supposed to prepare for the Christmas party I was hosting on the night of the 24th at my place. After a short break, at around 12:30 I started working on my exam report which took about 2 hours, I then spent another half hour double checking the report, making sure that both the exam and lab reports were in the correct format.
I suggest you read the exam guide at least a couple of times before going into the exam as there a lot of instructions to follow when doing your exam and writing your report.
After less than 48 hours I received the following email stating I had passed the exam. There are no words to express how happy this made me, it was like a Christmas gift from Offsec.
Conclusion
The whole journey although frustrating at times, has been a huge learning experience in terms of both knowledge and mindset which are both required in real life engagements. Receiving a pass at the end and therefore knowing all those sleepless nights were not in vane was extremely rewarding.
Additional Sources & Resources
Below are some additional resources and tools that were extremely useful to me during the OSCP preparation and the exam itself. I suggest you take the time to explore each one as I’m sure they will be incredibly valuable to you.
Useful Tools
- CherryTree
- Tmux
- Vim
- SecLists
- LinPEAS/WinPEAS
- Windows Exploit Suggester – Next Generation (WES-NG)
- Linux Exploit Suggester 2
- PowerShell-Suite
Thank You for sharing so valuable info. Congrats on getting OSCP cert, Man! Wish You all the best!
I am really glad to see it was helpful for someone out there, best of luck on your journey!
Great information in your article. Thanks.
I am very glad it was useful to you!
I am thankful for the information you have provided. I will incorporate it in my own study plan to implement my own strategy.
No worries at all! I am glad it was of help.
I am thankful for the information you have provided. I will incorporate it in my own study plan.